Skip to content
Latchkey

wrangler secret put: Worker Secrets in CI

wrangler secret put NAME stores an encrypted secret that a Worker reads at runtime, prompting for the value unless you pipe it in.

Secrets are set out of band from deploys. In CI you pipe the value on stdin so the normally interactive prompt never blocks.

What it does

wrangler secret put NAME encrypts a value and binds it to the Worker as an environment secret available via the runtime env. wrangler secret list shows the names (not values) and wrangler secret delete removes one. --env targets a named environment.

Common usage

Terminal
# pipe the value so it does not prompt
echo "$API_KEY" | wrangler secret put API_KEY
# scope to an environment
echo "$API_KEY" | wrangler secret put API_KEY --env production
# bulk from a JSON object of name/value pairs
wrangler secret bulk secrets.json

Options

Command / flagWhat it does
secret put NAMECreate or update an encrypted secret
secret listList secret names for the Worker
secret delete NAMERemove a secret
secret bulk <file>Upload many secrets from a JSON file
--env <name>Target a wrangler.toml environment

In CI

Always pipe the value via echo "$VAR" | wrangler secret put NAME; with no stdin the command tries to prompt and fails on a runner. Use secret bulk to set several at once and keep the value out of the process list (avoid putting secrets directly on the command line).

Common errors in CI

"Authentication error [code: 10000]" means a missing or under-scoped CLOUDFLARE_API_TOKEN. "Error: Failed to automatically retrieve account IDs ... in non-interactive mode" means CLOUDFLARE_ACCOUNT_ID is unset. A hang on secret put means no value was piped in.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →